Contact Us
Contact Us
Login
Advisory

Nuvation Battery Storage Systems Vulnerabilities: CVE-2025-64119

Last Updated: January 13, 2025

Dragos recently evaluated Nuvation Energy’s Battery Management System (BMS) and Multi-Stack Controller (MSC) devices for security vulnerabilities.

The following vulnerabilities were identified in the Battery Management Systems up to and including the latest software release, called Descartes:

  • CVE-2025-64119: CWE-603 (Client-Side Authentication), CVSSv3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The following vulnerabilities were introduced in the Multi-Stack Controller nPlatform 2.3.8 and are fixed in nPlatform 2.5.1:

  • CVE-2025-64120: CWE-78: OS Command Injection: CVSSv3 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • CVE-2025-64121: CWE-288: Authentication bypass Using an Alternate Path or Channel: CVSSv3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

The following vulnerabilities are present in all prior MSC builds and are fixed in nPlatform 2.5.1:

  • CVE-2025-64122: Private key stored on device: CVSSv3.1 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • CVE-2025-64124: CWE-78: OS Command Injection: CVSSv3.1 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

The following vulnerability is still present and impacts the MSC including the current release:

  • CVE-2025-64123: CWE-441: Unintended Proxy or Intermediary: CVSSv3.1 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

The following vulnerability was present in the nCloud/VPN service and has been remediated for all customers automatically:

  • CVE-2025-64125: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints: CVSSv3 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).
    • Note: this vulnerability is essentially impossible to score correctly with CVSS, and prior to the fix this vulnerability could be chained with other MSC vulnerabilities to exploit connected appliances.

End users are urged to update their MSC to nPlatform 2.5.1 / MSC 22.4.0, and to protect both the MSC and the BMS from access by adversarial networks. Consult Nuvation’s documentation for enabling authentication on the MSC, and set a strong password. Security-conscious end users may wish to restrict access to the nCloud service.

Refer to Dragos VA-2025-06 for additional information or send inquiries to intel@dragos.com.